RustFS, Information Disclosure Vulnerability (Critical)

Listen to this Post

The vulnerability exists within the STS (Security Token Service) credential generation handler. When a request (e.g., AssumeRole) is processed, the application logic in `rustfs/src/admin/handlers/sts.rs` at line 138 constructs a new `Credentials` object containing the sensitive access_key, secret_key, and session_token. This object is then passed directly into a log macro call at the INFO severity level (e.g., info!("AssumeRole get new_cred {:?}", credentials);). The logging framework serializes the entire object, including all private fields, into plaintext. These log entries are written to the application’s standard output or log files without any sanitization. Any entity with read access to these logs—be it a system administrator, a compromised logging agent, or an external log aggregation service—can trivially extract the full credential set. The credentials remain valid until their expiration, allowing an attacker to impersonate the assigned role and perform unauthorized API operations against the RustFS service.
Platform: RustFS
Version: Unspecified
Vulnerability : Information Disclosure
Severity: Critical
date: 2026-01-17

Prediction: Unspecified

What Undercode Say:

grep -n "secret_key" /var/log/rustfs/app.log
tail -f /opt/rustfs/logs/application.log | grep --line-buffered "Credentials"
jq -r '.message | select(contains("secret_key"))' /var/log/rustfs/structured.log
cat rustfs/src/admin/handlers/sts.rs | grep -A5 -B5 "info!"

How Exploit:

1. Gain log read access.

2. Search for “Credentials {” patterns.

3. Extract access_key, secret_key, session_token.

4. Configure AWS CLI/RustFS client with stolen credentials.

5. Execute authenticated commands until token expiry.

Protection from this CVE

Implement log redaction filters.

Remove sensitive fields from Debug trait.

Downgrade log statement to DEBUG level.

Enforce strict log file permissions.

Use centralized log management with scrubbing.

Impact:

Credential Theft

Session Hijacking

Privilege Escalation

Compliance Violations

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top